Is the EFF Right to be Concerned About Mobile Security Patching?

There was a thought-provoking post yesterday from Chris Palmer, Technology Director at the Electronic Frontier Foundation (EFF). He specifically calls out Google Android, for being an open source platform but not being open about security fixes. I agree this looks bad – I’ve been following a couple of threads on the Android Security Discussions group on this topic, waiting for an answer from Google staff, but none has been forthcoming.

I don’t really blame Google for not announcing the details of fixed security vulnerabilities though; the reasons are clear, and pointed out in the EFF post (inability to patch operator-customised ROMs). The Symbian Foundation faced the same dilemma, but didn’t recklessly say they were going to announce fixed security vulnerabilities in the first place! Google should at least be honest about their policy.

That said, I disagree with the EFF on two points:

Firstly they state that “the security of mobile operating systems is not as mature or as strong as that of workstation and server operating systems.” I think in many ways it is more mature, specifically having learned the lessons of poor desktop security in the past and benefiting from several control points that PCs do not have. The vast majority of mobile malware consists of trojans (indeed all of the Symbian malware that I know of) which don’t exploit security vulnerabilities in the operating system anyway, so their conclusion doesn’t follow.

Secondly, they seem to be recommending that people “jailbreak” their phones: “it is not a violation of the DMCA to jailbreak your mobile device to install third-party patches”, assuming that third parties will develop and distribute security patches that the device manufacturers will not. Jailbreaking the phone can have its own security issues, and I see no evidence that the open source community has any interest in contributing security fixes to mobile phone OSes (the Symbian Foundation didn’t get any such contributions).

Disclosure is no guarantee of security, as Alec Muffett recently reiterated. While I agree with the general concern about the difficulty of creating security patches for mobile phones, and would welcome architectural improvements to make patch creation easier, I think the EFF are seizing on this issue to advance their own political agenda, and I don’t believe it would have any significant effect on the current volume of mobile malware.